Cryptography – Learn What It’s All About

September 25, 2012 by Mike Szczys 8 Comments

The concept of cryptography touches our lives many times per day, and that’s probably a conservative estimate. We have a pretty good idea of how it works, having dealt with public-key cryptography for things like remote git repositories or ssh tunneling without a password. But we still enjoyed reading [Tiberiu Barbu’s] primer on the subject which he calls From 0 to Cryptography.

He begins the discussion with a definition of terms but quickly moves to the topic of key distribution. If you’re using a key to decipher data, how can you make sure that key only makes it to the person whom you want reading the data? One way is to use a Diffie-Hellman key exchange. The diagram above illustrates the trade, which uses an agreed upon value (color in this example) as a common starting point, then goes from there. After working our way through the key exchange scenario [Tiberiu] then runs the gammut of other options, include Public-Key, RSA, Hash, Digital Certificate, and a few others. It’s not a long post considering how many topics it covers. If you don’t have time today, make sure to save it for the weekend.

[via Reddit]

Time-based One-Time Passwords With An Arduino

July 11, 2012 by Mike Szczys 13 Comments

Get your feet wet with Time-based One-Time Password (TOTP) security by building your own Arduino OATH system. OATH is an open standard authentication system that provides a platform to generate tokens, making your login more secure than a password alone would.

The TOTP approach is what is used with many companies that issue hardware-based dongles for logging in remotely. This security may have been compromised but it’s still better than passwords alone. Plus, if you’re building it around an Arduino we’d bet you’re just trying to learn and not actually responsible for protecting industrial or state secrets.

The hardware setup requires nothing more than the Arduino board with one button and a screen as a user interface. Since the board has a crystal oscillator it keeps fairly accurate time (as long as it remains powered). It will push out a new token every thirty seconds. The video after the break shows that the Arduino-calculated value does indeed match what the test box is displaying.

Continue reading “Time-based One-Time Passwords With An Arduino” →

RSA SecurID Breach Leads To Intrusion At Lockheed Martin

May 28, 2011 by Mike Nathan 45 Comments

rsa_securid

It looks like Lockheed Martin is the latest victim in what seems to be an endless string of security breaches. This time however, it does not look like a lack of security measures led to the breach. In fact, it seems that Lockheed’s implementation of a widely-trusted security tool was the attack vector this time around.

Last month we reported on the apparent compromise of RSA’s SecurID product, and while many speculated that this intrusion could lead to subsequent attacks, the firm downplayed the breach. They stated that the stolen data was unlikely to affect their customers, but as usual, the problem appears to be far larger than originally estimated.

The breadth of the intrusion is currently unknown, and with both RSA and Lockheed officials keeping mum, it may be some time before anyone knows how serious it is. When military secrets are in question however, you know it can’t be good!

RSA SecurID Two-factor Authentication Comprimised

April 13, 2011 by Mike Szczys 34 Comments

SecurID is a two-factor hardware-based authentication system. It requires you to enter the number displayed on a hardware fob like the one seen above, along with the rest of your login information. It’s regarded to be a very secure method of protecting information when users are logging into a company’s secure system remotely. But as with everything else, there’s always a way to break the security. It sounds like last month someone hacked into the servers of the company that makes SecurID.

You’ll need to read between the lines of that letter from RSA (the security division of EMC) Executive Chairman [Art Coviello]. He admits that someone was poking around in their system and that they got their hands on information that relates to the SecurID system. He goes on to say that the information that the attackers grabbed doesn’t facilitate direct attacks on RSA’s customers.

We’d guess that the attackers may have what they need to brute-force a SecurID system, although perhaps they have now way to match which system belongs to which customer. What’s you’re take on the matter? Lets us know by leaving a comment.

[via Engadget]

ToorCon 9: Crypto Boot Camp

October 19, 2007 by Eliot 3 Comments

[Rodney Thayer] gave a 2 hour seminar on cryptographic technology. It was designed to give the audience a working knowledge for dealing with vendors. He gave some rules of thumb for choosing encryption. In order of preference, when doing symmetric key crypto: use AES with a minimum 128bit key, if not that 3-key Triple-DES, or last RC4 with 128bit key. For hashing: SHA 256 preferred, SHA 1 if you can’t do any better, and MD5 if you can’t SHA. For public key: RSA using at least a 2048bit key. The top choices in these lists were picked because they’ve stood up to years of scrutiny. One major theme of talk was to never roll your own crypto algorithm or buy someone elses. Proprietary algorithms get broken all the time, like the GSM A5 crypto we talked about earlier this year.